Your Business Solutions urges all organizations using FortiOS and FortiProxy to address a newly discovered Fortinet security vulnerability (CVE-2024-55591), which affects Fortinet products. This high-severity flaw, rated with a CVSS score of 9.6, can allow attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. Devices running firmware versions between 7.0.14 and 7.0.16, released from February to October 2024, are particularly vulnerable to this Fortinet security vulnerability.
Current Threat Landscape: Active Exploitation
Active exploitation of this Fortinet security vulnerability has been observed in a multi-phase attack campaign targeting vulnerable FortiGate devices between November and December 2024. The attackers move through four stages:
- Initial Scanning: Attackers scan for vulnerable devices, using the jsconsole command-line interface. They often employ unusual or spoofed IP addresses, such as loopback addresses (e.g., 127.0.0.1) or public DNS resolvers (e.g., 8.8.8.8).
- Reconnaissance: Attackers test if they have gained administrative privileges by making initial configuration changes.
- VPN Configuration: Attackers configure SSL VPN access, creating new super admin accounts or hijacking existing ones to infiltrate the network. They may also modify VPN portal settings or exploit default accounts for control.
- Credential Extraction: Using the DCSync technique, attackers extract credentials via domain replication, giving them deeper access to sensitive information.
As of January 14, 2025, Your Business Solutions' APG and SOC have not detected any indications of the campaign affecting monitored environments.
Recommendations for Fortinet Device Users
To mitigate the risks posed by the Fortinet security vulnerability, Your Business Solutions recommends the following actions:
- Upgrade Firmware: Update to the latest available versions of FortiOS (7.0.17 or above) and FortiProxy (7.2.13 or above, 7.0.20 or above) as outlined in Fortinet’s advisory.
- Disable Public Management Interface Access: Ensure firewall management interfaces are not accessible from the public internet.
- Regularly Update Firmware: Patch devices to the latest stable version to protect against known vulnerabilities.
- Monitor for Anomalous Activity: Watch for unusual login behaviors, such as short-lived admin logins or logins from loopback IPs.
- Implement Multifactor Authentication (MFA): Strengthen administrative login security by enabling MFA.
- Conduct Threat Hunting: Investigate for signs of malicious activity, such as unauthorized configuration changes or new SSL VPN account setups.
Conclusion
By following these best practices, you can significantly reduce the risk associated with the Fortinet security vulnerability and ensure your network remains secure. Don’t wait, act now to protect your business from potential exploitation. For expert guidance on securing your systems, contact a trusted IT provider in Texas. As a leading cybersecurity provider in Dallas, we offer comprehensive solutions to safeguard your organization from evolving cyber threats.